1. Cyber crime. Cyber crime hits many Americans in the form of identity theft, phishing, or cyber vandalism. In 2006, the Government Accountability Office estimated that cyber identity theft cost U.S. citizens and companies almost $50 billion, and the threat has only grown since then. These crimes are usually committed by individual criminals, so-called hacktivists, or criminal organizations, and represent the most common form of cyber threat.

2. Cyber espionage. Espionage pursues large, important targets, such as military blueprints or proprietary business plans, and is often state-sponsored. China, for instance, is a known bad actor in cyberspace. The Chinese not only allow and sponsor hackers, but have entire military and government units dedicated to stealing data from governments and private companies. China has been engaged in a prolonged campaign of stealing U.S. intellectual property and military secrets. Together with other hackers and cyber operations, China has stolen billions, if not trillions of dollars in U.S. intellectual property, not to mention compromising U.S. national security secrets.

3. Cyber warfare. While cyber crime and espionage are serious problems, the U.S. also faces a threat from cyber warfare. Taking down communications, transportation, or other critical systems would severely impair the U.S. response to a physical attack, increasing the damage sustained. While such an event is “unlikely” according to Director of National Intelligence James Clapper, the U.S. must prepare for these threats, since terrorists or isolated states are likely to use such attacks as they gain the capabilities to do so.

Across all three tiers, poor information sharing is one of the main problems—and in this case, the government could offer protection, rather than regulating. Heritage experts recommend that “entities that share information about cyber threats, vulnerabilities, and breaches should have legal protection. The fact that they shared data about an attack, or even a complete breach, with the authorities should never open them up to legal action.”

The government hasn’t meaningfully addressed these problems—and it can’t solve them by regulation. Think about Obamacare: The law passed in 2010, yet we are just now seeing tens of thousands of pages of regulations being written. If cybersecurity regulations were created the same way, online threats would have changed many times by the time the regulations went into effect.

President Obama was dissatisfied with Congress’s lack of action last year, so he went around them with an executive order favoring a regulatory approach to cybersecurity. This was the wrong way to go, but Congress can still help.